On Friday, May 7th 2021, Colonial Pipeline, a privately owned pipeline operations company, learned that it was the victim of a ransomware attack. This event threw the entire fuel infrastructure of the Eastern United States is in a state of disruption.
Colonial Pipeline is one of the largest pipeline operators in the United States and their pipelines provide about 45% fuel to the East Coast. The fuel types transported by the pipeline include gasoline, diesel, jet fuel, and household heating oil. Colonial Pipeline runs 5,500 miles of pipeline between Texas and New Jersey, pumping millions of gallons of fuel each day.
Once Colonial learned of the attack, they took some of their systems offline, which halted major pipeline operations. It took until May 13th to restore services. In the meantime, gas shortages occurred throughout the southeastern United States and many people began hoarding gasoline in a panic.
The ransomware attack encrypted around 100GB of data. The nature of the encrypted data is unknown but what is clear is that Colonial Pipeline was unprepared for such an attack. Colonial responded by shutting down major pipelines and kept these systems offline for several days. This indicates that they were attempting to isolate and remediate the breach in their network defenses. The fact that major pipelines were kept offline for more than a few days shows that Colonial did not possess the proper backups to restore their data, they were at the mercy of the hackers.
Ransomware attacks are designed to render data unusable by encrypting it. The attacker then demands a ransom, usually payable in cryptocurrency, to unencrypt the data. Regular backups are the key to defeating a ransomware attack. A company can choose to simply restore their data from a backup and continue operations as normal. The encrypted data will remain encrypted, but the company would be able to restore most of that data from the last backup.
It is almost always detrimental to the company to pay the ransom. First, there is no guarantee that the attackers will decrypt the data once they are paid. Second, the attackers can decrypt the data at their leisure, leading to further delays. Third, studies have shown that the costs of paying ransomware are on the rise. According to the Palo Alto Ransomware Report 2021, the average cost of ransoms was $115,123.
While the exact attack method is unknown, the FBI identified the responsible party, a hacker group known as DarkSide. This group tends to favor industrial sector targets and is highly selective in choosing their victims. They will conduct extensive research and reconnaissance on their intended victim prior to conducting an attack. Then, they will customize the malware used to work best with the target network. DarkSide will even tailor the ransom demands to take a company’s revenue into consideration.
They often perform “double extortion” attacks where they encrypt the data but also threaten to leak it. According to their website and press releases, DarkSide claims that they are apolitical and only interested in making money. “Our goal is to make money, and not creating problems for society. From today we introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.”
Colonial reportedly paid the ransom to DarkSide of roughly 5 million USD in cryptocurrency to have their data unencrypted. This is a staggering amount and is clearly much higher than the average ransom cost of $115,123. Clearly, DarkSide knew the significance and level of success of their attack and exploited it for maximum gain. The fact that the company had to pay the ransom, even after consulting with third party security professionals, shows that they were completely unprepared for such an attack.
Had Colonial performed proper regular backups, they would have been able to restore this data within a few days at most at a significantly cheaper cost. Performing proper data backups is critical to protecting against ransom attacks. Had Colonial personnel been training in proper backup techniques, the impact of this attack would have been drastically mitigated.
An attack on an industrial sector target, like Colonial, is not surprising. According to Kapersky, attacks on industrial sector targets went up by 85% in the second half of 2020. Hackers are realizing that industrial targets are often less prepared to deal with cybersecurity threats. Aging industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems are easily exploited by attackers. These systems are designed to control industrial equipment. Because of this, they have less robust security features and must be secured using other devices.
Also, the IT personnel tasked with managing these systems are often not trained in cybersecurity techniques and procedures. This creates a double threat for industrial sector companies. Hackers are quick to identify this and exploit these vulnerabilities.
Training is the most cost effective way for mitigating the risks from ransomware attacks. According to the Ponemon Institute, individuals trained in cybersecurity techniques were more than twice as effective at identifying and preventing cyber attacks than non-trained employees. The relative cost of training is incredibly small if that training can prevent a cyber attack. Certainly, the cost of cybersecurity training for Colonial could not exceed 5 million dollars…
The Colonial attack shows the importance cybersecurity for any industry and how a data breach can have unforeseen far reaching consequences. This event will only lead to an increase in the demand for trained and certified cybersecurity professionals. In fact, President Biden responded to the attack by issuing an executive order designed to increase the cybersecurity requirements for government systems.
We here at Cyberkraft recognize the importance of training, that’s why we offer full training courses for cybersecurity professionals. Our live instructor led bootcamps will earn you your next certification in one week guaranteed or your money back.
Now’s the perfect time to increase your professional knowledge and add value to your hiring profile. Click here to start earning your next certification.